type.inbound
and length(attachments) == 0
and regex.icontains(coalesce(body.html.inner_text, body.html.display_text),
'([a-zA-Z\d\.]\s){30,}'
)
and any(body.links,
.href_url.domain.domain in $free_file_hosts
or .href_url.domain.root_domain in $free_file_hosts
)
and (
profile.by_sender().prevalence in ("new", "outlier")
or profile.by_sender().any_messages_malicious_or_spam
or sender.email.domain.valid == false
)
and not profile.by_sender().any_messages_benign
Playground
Test against your own EMLs or sample data.